GithubHelp home page GithubHelp logo

kursh / simpleunpacker Goto Github PK

View Code? Open in Web Editor NEW

This project forked from cr4sh/simpleunpacker

0.0 2.0 0.0 1016 KB

Simple tool for unpacking packed/protected malware executables.

Home Page: http://d-olex.blogspot.com/

simpleunpacker's Introduction

    
  SIMPLE UNPACKER
  PoC Tool by Oleksiuk Dmytro (aka Cr4sh), Esage Lab

  http://d-olex.blogspot.com/
  mailto:[email protected]

=================================  

This tool designed for semi-automation unpacking of malware samples, by the following way:

1) Creates malware process with CreateProcess() and PROCESS_DEBUG flag.

2) Dispatching debug events, and setting breakpoints on some APIs, that calls somewhere in unpacked malware body.

3) When breakpoint occurs -- tool performs dumping of unpacked malware executable image.

Of course, to use it you must know what exactly API calls in unpacked malware body, to set breakpoint (unpacking marker) on them.


USAGE:

  > SimpleUnpacker.exe <input_file> --bp <module>!<function>
  
For setting breakpoints on many functions, you can use multipile --bp keys in command line options.
Unpacked binary will be saved in dumped.exe, you can load it into the IDA Pro, or into yor own process (with LoadLibraryEx() + DONT_RESOLVE_DLL_REFERENCES) for further researching.


Exampe of unpacking SpyEye trojan dropper:

-------------------------------------------------------------------

  C:\> SimpleUnpacker.exe dropper.exe --bp kernel32.dll! CreateToolhelp32Snapshot
  
  [+] Breakpoint: kernel32.dll!CreateToolhelp32Snapshot()
  [+] Process command line: "dropper.exe"
  CREATE_PROCESS: ImageBase=0x00400000, StartAddress=0x00420090
  DLL_LOAD: 0x7c900000 "ntdll.dll"
  DLL_LOAD: 0x7c800000 "C:\WINDOWS\system32\kernel32.dll"
  [+] Breakpoint on kernel32.dll!CreateToolhelp32Snapshot() has been set: 0x7c865b1f
  DLL_LOAD: 0x7e410000 "C:\WINDOWS\system32\USER32.dll"
  DLL_LOAD: 0x77f10000 "C:\WINDOWS\system32\GDI32.dll"
  DLL_LOAD: 0x73000000 "C:\WINDOWS\system32\WINSPOOL.DRV"
  DLL_LOAD: 0x77dd0000 "C:\WINDOWS\system32\ADVAPI32.dll"
  DLL_LOAD: 0x77e70000 "C:\WINDOWS\system32\RPCRT4.dll"
  DLL_LOAD: 0x77fe0000 "C:\WINDOWS\system32\Secur32.dll"
  DLL_LOAD: 0x77c10000 "C:\WINDOWS\system32\msvcrt.dll"
  DLL_LOAD: 0x3d930000 "C:\WINDOWS\system32\WININET.dll"
  DLL_LOAD: 0x77f60000 "C:\WINDOWS\system32\SHLWAPI.dll"
  DLL_LOAD: 0x78130000 "C:\WINDOWS\system32\urlmon.dll"
  DLL_LOAD: 0x774e0000 "C:\WINDOWS\system32\ole32.dll"
  DLL_LOAD: 0x77120000 "C:\WINDOWS\system32\OLEAUT32.dll"
  DLL_LOAD: 0x3dfd0000 "C:\WINDOWS\system32\iertutil.dll"
  EXCEPTION_BREAKPOINT at 0x7c90120e
  CREATE_THREAD: StartAddress=0x00000000
  DLL_LOAD: 0x76390000 "C:\WINDOWS\system32\IMM32.DLL"
  DLL_LOAD: 0x773d0000 "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_65
  95b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll"
  CREATE_THREAD: StartAddress=0x7c8106e9
  EXCEPTION_BREAKPOINT at 0x7c865b1f
  [+] Breakpoint occurs: kernel32.dll!CreateToolhelp32Snapshot
  [+] Dumping image 0x00400000 Size=0x0007d000
  Fixing FileAlignment 0x00000200 -> 0x00001000
  Fixing section raw address 0x00000400 -> 0x00001000
  Fixing section raw address 0x00000400 -> 0x00040000
  Fixing section raw address 0x00021600 -> 0x00062000
  [+] Image dumped to "dumped.exe"
  DONE

-------------------------------------------------------------------

simpleunpacker's People

Contributors

cr4sh avatar

Watchers

James Cloos avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.